Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

U.K. and U.S. Government Websites Among Thousands Infected by Cryptocurrency Miner

The attack could have been averted through a technique called subresource integrity, according to researcher Scott Helme.

More than 4,200 websites, including many run the U.K. and U.S. governments, were infected on Feb. 11 by a Monero cryptocurrency miner delivered through Browsealoud, a hosted accessibility service that can read website content aloud for people with visual impairments.

Browsealoud developer Texthelp has taken the service offline temporarily while it works on a fix. The exploit was active for four hours and Texthelp had been preparing for such an attack for a while, CTO and data security officer Martin McKay said in a statement.

“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline,” he wrote. “This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action.”

No customer data was compromised or lost, and an investigation is underway, according to McKay. A list of the affected websites, which stands at 4,275, is available here.

The infection was first reported by security researcher Scott Helme. A friend of Helme’s told him that his antivirus software was issuing a warning when he visited the site of the U.K. Information Commissioner’s office, prompting Helme to investigate.

“They’re the people we complain to when companies do bad things with our data,” Helme wrote. “It was pretty alarming to realize that they were running a crypto miner on their site, their whole site, every single page. … I quickly realized though that this script, whilst present on the ICO website, was not being hosted by the ICO, it was included by a 3rd party library they loaded.”

That turned out to be Browsealoud, which had been compromised by attackers that altered one of its hosted JavaScript files, Helme said.

“This is not a particularly new attack and we’ve known for a long time that CDNs or other hosted assets are a prime target to compromise a single target and then infect potentially many thousands of websites,” Helme added.

The attack could have been averted if the sites had employed a simple technique called subresource integrity, Helme said. This tells web browsers to run an integrity check on anything being loaded from a third-party source.

“By embedding the base64 encoded cryptographic hash digest that we expect for the asset into the script or link tag, the browser can download the asset and check its cryptographic hash digest against the one it was expecting,” he wrote. “If the hash of the downloaded asset matches the hash that we provided, then the content is what we were expecting to receive and the browser can safely include the script or style. If the hash doesn’t match then we know we can’t trust the data and it must be discarded.”

It’s not clear how much Monero the managed to generate, but crypto mining schemes have been coming into vogue among cybercriminals. The Smominru botnet, which infected more than half a million machines, has made up to $3.6 million worth of Monero since May, Proofpoint reported.

Last week, a Monero botnet showed up in China and South Korea, infecting Android devices through port 5555, which is associated with the OS’s Debug Bridge tool.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.